b'May 24, 2001\nAudit Report No. 01-011\n\n\nDevelopment of the FDIC\'s Public Key\nInfrastructure\n\x0cFederal Deposit Insurance Corporation                                                        Office of Audits\nWashington, D.C. 20434                                                           Office of Inspector General\n\n\n\n   DATE:            May 24, 2001\n\n\n   TO:              Donald C. Demitros, Director, Division of Information Resources Management,\n                    and Chief Information Officer\n\n\n\n\n   FROM:            David H. Loewenstein\n                    Assistant Inspector General\n\n   SUBJECT:         Audit of the Development of the FDIC\'s Public Key Infrastructure (Audit Report\n                    No. 01-011)\n\n\n   The Federal Deposit Insurance Corporation\'s (FDIC) Office of Inspector General (OIG) has been\n   involved in auditing the development of the Corporation\'s public key infrastructure (PKI) since\n   1997. The objectives of this audit were to ensure that the development of the FDIC\'s PKI (1)\n   follows a structured approach, (2) addresses user requirements, (3) considers viable alternatives,\n   (4) is adequately tested, and (5) incorporates needed controls. In accomplishing our objectives,\n   we determined if the FDIC\'s PKI will meet generally recognized security standards, be sanctioned\n   by the U. S. General Accounting Office (GAO) for use with the FDIC\'s fully automated financial\n   systems that affect the annual financial statements, and benefit from "lessons learned" at other\n   federal agencies. This report discusses our interaction thus far with the Divisions of Information\n   Resources Management (DIRM) and Finance (DOF), GAO, the National Institute of Standards\n   and Technology (NIST), and interested parties from other federal agencies. Our report also\n   provides recommendations regarding certain future steps DIRM and the corporate user\n   community should take when developing and implementing the FDIC\'s PKI and the automated\n   systems that will use digital signature technology.\n\n\n   BACKGROUND\n\n   In recent years, the dramatic rise in computer technology has changed the ways individuals,\n   businesses, and government entities interact. Business-to-business transactions are increasingly\n   being accomplished through the Internet and other means of electronic data exchange.\n   Government agencies have implemented many E-government applications, including the\n   purchase of goods and services, electronic claim filing, and client applications for federal\n   benefits.\n\n   Recent legislation such as Public Law 105-277, the Government Paperwork Elimination Act\n   (GPEA), enacted on October 21, 1998, and Public Law 106-229, the Electronic Signatures in\n   Global and National Commerce Act (ESIGN), enacted on June 30, 2000, will accelerate the\n\x0cimplementation of e-commerce activities throughout the federal government. Specifically, GPEA\nrequires federal agencies to allow individuals and entities the option of submitting information or\ntransacting with agencies electronically, whenever feasible. GPEA sets October 2003 as the\ndeadline for federal agencies to provide individuals and entities that deal with them the option of\nelectronic maintenance, submission, or disclosure of data as a substitute for paper. GPEA also\nassigns the Office of Management and Budget (OMB) the responsibility for ensuring that federal\nagencies meet the October 2003 deadline. To promote a structured process for complying with\nGPEA, OMB has issued implementation guidance that describes the process and principles that\nagencies should employ when evaluating, using, and accepting electronic signatures. OMB also\nrequired federal agencies to submit a GPEA implementation plan and schedule by October 2000.\nIn addition, ESIGN has established the legal validity of electronic signatures throughout the\nUnited States and applies to any transactions that affect interstate or foreign commerce.\n\nA recent GAO report, ELECTRONIC GOVERNMENT: Government Paperwork Elimination Act\nPresents Challenges for Agencies, dated September 2000 identified the challenges that lie ahead\nas federal agencies adopt e-commerce activities to transition to E-government. These challenges\ninclude sound IT investment policy, adequate and documented systems architecture, effective\nsecurity and privacy, PKI interoperability, 1 reliable record keeping, and the provision for\nexpertise and training.\n\nTo provide adequate controls and security for systems using electronic signatures, an application\nneeds to validate the identity of the individual approving the documents and ensure that the data\nassociated with the approval cannot be modified without detection. PKI is the methodology that\nhas been developed to provide electronic signature technology in an effective and efficient\nmanner. NIST has taken a leadership role in the development of standards for federal PKIs that\nwill support electronic signatures and other security services.\n\nThe FDIC initiated the development of the Corporation\'s PKI in late 1996. In 1997, the OIG\nissued a memorandum to the Director of DIRM and another to the Directors of DIRM and DOF.\nThe memoranda suggested that the FDIC (1) adopt electronic signature software, hardware, and\ntechniques that comply with NIST guidelines; (2) issue a directive stating that the selected\nelectronic signature software, hardware, and techniques will apply to all FDIC systems using that\ntechnology; (3) contact other federal agencies that have received GAO\'s sanction of their\nelectronic signature modules to determine whether the FDIC could make use of other agencies\'\ndevelopment efforts; and (4) develop a fully documented long-range plan to bring the FDIC\'s\nelectronic signature module into agreement with federal PKI functionality. The FDIC had\nimplemented all of our suggestions as of January 2001.\n\nOn June 30, 1998, our office issued an audit report entitled Audit of Implementation of Electronic\nSignatures to Support the Electronic Travel Voucher Payment System (ETVPS) and Other\nPlanned Systems (Audit Report Number 98-052). In that report, we determined that the FDIC\nwas proposing to use an electronic signature module that may not have provided adequate\nsecurity for corporate-wide use. We also found that a lack of coordination within DIRM\n\n1\n PKI interoperability is the ability of differing public key infrastructures to exchange electronically signed\ndocuments. The federal government is developing a "bridge" certificate authority (CA) to accomplish this. The\nFDIC will use a bridge CA to cross-certify with other entities.\n\n\n                                                        2\n\x0cprecluded other system development efforts requiring electronic signature technology from being\nincluded in corporate requirements. In the report we recommended that the Director, DIRM\n(1) establish a long-range PKI development plan, (2) perform an alternatives analysis comparing\nthe available alternative for providing FDIC\'s electronic signature needs, and (3) ensure that\nDIRM security personnel and system development project managers communicate on a regular\nbasis to identify requirements for electronic signatures. All recommendations had been\nimplemented by DIRM as of January 2001.\n\nSince issuing the memoranda and report, the OIG has continued to work closely with DIRM,\nNIST, and GAO personnel by reviewing the development of the FDIC\'s PKI. DIRM established\na PKI project plan that included additional tasks and milestones for bringing the electronic\nsignature component of its PKI into compliance with NIST standards for high-risk systems.\nDIRM also initiated working groups with (1) NIST and GAO to develop a compliant PKI,\n(2) federal agencies involved in the federal PKI project, and (3) other federal financial institution\nregulatory agencies to share best practices for PKI development. In addition, DIRM began\ndeveloping needed PKI documentation, such as the certificate policies and practices statement 2\nthat GAO deemed necessary to follow a structured PKI development process. Additionally,\nDIRM developed a certificate policy statement for a single PKI with four levels of assurance,\nbasic, low, medium and high, as GAO had recommended. We estimate that the FDIC expended\nmore than $3 million through calendar year 2000 to develop and maintain its PKI.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of this audit were to ensure that the development of the FDIC\'s PKI (1) follows a\nstructured approach, (2) addresses user requirements, (3) considers viable alternatives, (4) is\nadequately tested, and (5) incorporates needed controls. This interim phase of our audit applied\nthese objectives to the planning and development of the PKI by the FDIC with the assistance of\nGAO and NIST.\n\nTo address these objectives, we reviewed PKI documentation developed by DIRM for\ncompliance with NIST and GAO standards and other generally accepted PKI practices. In\naddition, we interviewed and held status meetings with DIRM, NIST, and GAO personnel\ninvolved in the PKI development process. Finally we tracked the ability of DIRM to meet agreed\nupon milestone dates. The audit was performed between February 2000 and January 2001 in\naccordance with generally accepted government auditing standards. Due to the evolving nature\nof the PKI development process, we will continue our audit involvement throughout the process.\n\n\nRESULTS OF AUDIT\n\nBetween 1997 and mid-2000, the FDIC developed and implemented a low assurance PKI that\nwas used for the Electronic Travel Voucher Payment System (ETVPS). However, less\nsignificant progress was made in developing a single PKI for all levels of assurance. While the\n\n2\n Certificate policies and practices are the documents that initially describe the concept of operations that the FDIC\nwill use to develop its PKI.\n\n\n                                                          3\n\x0cFDIC\'s progress developing its PKI indicates that it is pursuing an effective course of action in\naddressing the tasks needed to implement an effective PKI that will benefit the Corporation and\nmeet GAO sanctioning requirements, additional actions described in this report can further\nenhance the FDIC\'s efforts. Specifically, DIRM PKI personnel should ensure that all PKI-\nrelated documents are developed using NIST standards and GAO guidelines, and adhere to\nnewly established PKI development milestones. In addition, using OMB\'s GPEA guidelines, the\nDirector, DIRM, and Chief Information Officer (CIO) should develop an E-Government\nimplementation plan.\n\n\nTHE FDIC HAS MADE PROGRESS IN PKI DEVELOPMENT BUT MORE REMAINS\nTO BE DONE\n\nSince 1997, we have provided DIRM with our suggestions and recommendations for improving\nits PKI development process. After a slow start in developing a single PKI that encompassed all\nfour levels of assurance - basic, low, medium and high, DIRM began substantive discussions in\n2000 with NIST and GAO regarding the development of a compliant PKI. Our office has\ncontinued to maintain an active presence in the development of the FDIC\'s PKI by reviewing\nrequired PKI documentation and attending PKI status meetings with DIRM, DOF, GAO, NIST,\nand personnel from other federal organizations. DIRM\xe2\x80\x99s actions to date to develop an effective\nand compliant PKI have resulted in significant progress. We believe that the additional actions\ndescribed in this report can further improve the process and enhance assurance of effective\ncoordination between all involved parties.\n\nPKI Development Process Can Be Expedited\n\nIn the early stages of development, the FDIC did not progress as quickly as anticipated in\ndeveloping a secure PKI. For example, the original DIRM PKI development plan, developed in\nresponse to our June 30, 1998 audit report contained critical tasks and milestones for the\ndevelopment of the PKI. The critical elements of the plan included the development of a PKI\nconcept of operations that complied with NIST standards for high-risk systems by August 1998\nand the delivery of NIST-compliant PKI hardware for high-risk users by June 1999. Neither task\nhad been attained as of December 31, 2000. However, during 2000 DIRM re-focused its efforts\nand made progress completing the tasks.\n\nDuring 2000, we were actively involved in reviews of a memorandum of understanding (MOU)\nbetween DIRM and NIST, and the FDIC\'s PKI certificate policies and practices. The MOU\nbetween the FDIC and NIST described the roles and responsibilities of each organization,\ndeliverables, and funding for the development of the FDIC\'s PKI. The MOU was completed in\nAugust 2000, and the certificate policies and practices were in the draft stage as of January 31,\n2001. Further, DIRM personnel have begun using instructions and examples provided by GAO\nfor the development of PKI deliverables.\n\nOn September 22, 2000, we met with DIRM, DOF, and GAO personnel involved in the FDIC\'s\nPKI development process. At that meeting, we determined that DIRM\'s progress in\nimplementing a high-risk level PKI was still behind the original schedule. DIRM management\n\n\n\n                                                4\n\x0cexpressed concerns about the labor-intensive process needed to ensure adequate controls during\nthe PKI certificate issuance process. The need for effective controls during this process is\ncritical to implementing a PKI for high-risk transactions because of the increased need to ensure\nthe identity of the individual being assigned the certificate. A GAO representative involved in\nthe sanctioning process described a number of alternatives for handling the initial registration\nand certificate re-issuance processes and offered to provide DIRM management with points of\ncontact at other federal agencies that had used effective methods. DIRM personnel agreed to\nconsider these processes. The GAO representative also stated that a certificate policy statement\nwas needed with practice statements for each of the four different levels of assurance required of\nan effective PKI. These levels provide for basic assurance, low assurance, moderate assurance,\nand high assurance.\n\nDuring the meeting, DIRM agreed to expedite its PKI activities, develop and implement an\neffectively controlled certificate issuance process, and develop a high-level policy for its PKI.\nSince that meeting, DIRM has enhanced its efforts to develop a PKI that meets GAO and NIST\nguidelines and has developed a new PKI project plan. The plan includes such critical FDIC\nactivities as the completion of the certificate policy and practice statements by October 2001, and\nan application program interface (API) functional review by January 2002. The function review\nis performed to ensure that the API contains all the functionality needed to properly interface\nwith all applications that will use the PKI. If adhered to, the schedule will permit NIST to fulfill\nits role and test the API by the scheduled February 2003 goal. Other tasks that are scheduled to\nbe completed by February 2003 include software and hardware upgrades to the digital signature\nmodule and required documentation. These documents include a concept of operations, audit\nprocedures, certificate practices statements for all assurance levels, API usage guidelines,\narchitecture description, disaster recovery procedures; and operating instructions for the\ncertificate and registration authorities.\n\n\nRecommendations\n\nThe Director, DIRM, and CIO should continue to ensure that:\n\n(1) all documents required for a NIST-compliant PKI are developed using NIST standards and\n    GAO guidelines.\n\n(2) PKI development personnel adhere to the established milestones for the development and\n    implementation of the FDIC\xe2\x80\x99s PKI.\n\n\nBetter Planning and Coordination Between DIRM and Future PKI Users Would Facilitate\nthe FDIC\'s Transition to E-Government\n\nOver the past 3 years, the FDIC initiated development of several fully automated systems that\nwere intended to reduce costs and paperwork. Only one of these systems, ETVPS, has been\nplaced into production. Many of the planned systems were being designed to provide for\nelectronic approval of documents for payment or other authorization purposes. However, FDIC\n\n\n\n                                                 5\n\x0cmanagement has yet to develop a business case that justifies the use of electronic signatures as a\nneeded security measure for a planned or existing application.\n\nIn a June 30, 1998 audit report, we reported that an increase in internal coordination within DIRM\nwas needed to ensure that all system requirements for the use of electronic signatures were\naddressed. We recommended that the Director, DIRM, ensure that security personnel and project\nmanagers communicate on a regular basis to identify future requirements for electronic signatures\nand other security needs.\n\nOur office attended meetings with GAO, DOF, and DIRM personnel on November 8, 2000 and\nDecember 7, 2000. At those meetings, we determined that increased communication between\nDIRM and its clients regarding the roles and responsibilities of each office in the development of\nthe FDIC\'s PKI would expedite the development of an overall strategic plan to implement PKI as\npart of the FDIC\'s transition to E-government. We also determined that an existing or planned\ncandidate application that could effectively employ the FDIC\'s PKI had not been designated. A\nGAO representative stated that client organizations, with DIRM\xe2\x80\x99s assistance, should designate a\ncandidate application, existing or planned, to initially employ the FDIC\'s PKI.\n\nActive communication between DIRM and its clients in identifying and preparing business cases\nfor existing and new applications that should employ PKI can help to ensure timely\nimplementation of an effective E-government plan. This plan should address the challenges\nGAO identified in its report, ELECTRONIC GOVERNMENT: Government Paperwork\nElimination Act Presents Challenges for Agencies. These challenges include the impact that E-\ngovernment will have on the Corporation\'s IT investment policy, system architecture, security\nand privacy, PKI interoperability, record keeping, and needed expertise and training. This plan\nshould also evaluate all existing and planned applications and develop a business case for each\napplication as to what method of security, including the use electronic signature technology, is\nrequired for the transition to E-government. After the evaluation of all applications, the plan\nshould identify the initial application that will avail itself of the new PKI technology. Finally,\nthe plan should require that security personnel are involved in the earliest stages of application\nplanning for the transition to E-government.\n\nWith the passage of GPEA and ESIGN, the transition to E-government has been accelerated. PKI\nhas emerged as one of the most important security solutions to e-business. As organizations\nincrease the level of security sophistication, different organizations must coordinate the\ndevelopment of their PKIs. Without this coordination, PKIs may be developed without the ability\nto inter-operate.\n\nWe believe the thrust of GPEA is to accelerate the transition to E-government by requiring\nfederal agencies to develop a business case for using electronic signatures in all transactions with\nthird parties. The ESIGN legislation complements GPEA in that it gives legal validity and\nenforceability within the United States to the use of electronic records and signatures in interstate\nand foreign commerce. We also believe that the FDIC could enhance its ability to ensure a\nseamless transition to E-government by closely adhering to OMB\'s GPEA guidelines in planning\nthe transition. In this way, the FDIC would follow the same process and timelines as other\nfederal agencies, thus ensuring that PKI security and interoperability problems are minimized.\n\n\n\n                                                 6\n\x0cIt is imperative that coordination between DIRM\'s security and development personnel and the\nFDIC\'s user community begin at the earliest stages of the system planning process. Without the\nearly involvement of security personnel in such a technical area as PKI, the project developers\nmay need to re-formulate system plans to ensure that the technicalities of PKI and electronic\nsecurity issues are adequately addressed. We also believe that before a high-risk candidate\napplication is selected for use in PKI testing, a business case should be developed for all critical\nFDIC applications to determine which applications will require electronic signatures. Without\nthis approach, the FDIC may have problems coordinating the development of the PKI and in its\ntransition to E-government.\n\n\nRecommendation\n\nThe Director, DIRM, and CIO should (3) develop an E-government implementation plan that\nuses OMB\'s guidelines for the implementation of GPEA and addresses the challenges outlined in\nGAO\'s report on electronic government.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\n\nOn March 19, 2001, the CIO provided a written response to the draft report. The CIO generally\nagreed with the report\'s findings and recommendations and provided the elements necessary for\nmanagement decisions on all three of the recommendations. The CIO\'s response is presented in\nits entirety in Appendix I of this report.\n\nWith regard to recommendations 1 and 2, the CIO indicated that DIRM will continue to enhance\nits efforts to develop a fully documented PKI and work closely with the OIG to complete the PKI\ndevelopment.\n\nIn his response to recommendation 3, the CIO noted that our report links PKI with the\nimplementation of GPEA and stated that GPEA does not mandate the use of PKI but describes a\nspectrum of currently available electronic signature technologies. We agree with the CIO\'s\ninterpretation of GPEA and understand that all applications may not require the use of a PKI.\nHowever, for clarification, it should be noted that most of the electronic signature technologies\nthat the CIO described are identified in OMB\'s guidance as non-cryptographic 3 methods of\nauthenticating identity. That is, the CIO is referring to such methods as personal identification\nnumbers, smart cards, digitized signatures and biometrics. We believe that if one reads OMB\'s\nexplanation of electronic signature technologies in its entirety, it is clear that the digital signature\nmethodology as implemented through PKI (a cryptographic method) is the only technology that\nbinds the identity of the signatory to the contents of a document. It is for this reason that we\nhave discussed PKI as the optimum method of implementing both electronic signature and other\nsecurity features. We have done so because PKI is a robust method of providing an electronic\nsignature and is the only current method that provides for non-repudiation of electronic\n\n3\n   Cryptography is the art or process of writing or deciphering secret code. Effective use of cryptography provides\nthe ability to securely exchange information with selected recipients.\n\n\n                                                         7\n\x0csignatures. This ability coupled with the fact that the FDIC has expended over $3 million\ndeveloping a PKI model that currently interfaces with the ETVPS strongly suggests to us that\nPKI provides a cost-effective solution to the FDIC\'s electronic signature needs. Ultimately, the\ndetermination of when to utilize PKI technology must be made based on the business case and\nassessed risk associated with the application. The CIO has stated that DIRM is committed to the\ndevelopment of an e-business plan that meets the intent of GPEA. We believe that if DIRM\nmeets all of the stated objectives and goals of that plan, PKI will be identified as a major part of\nthe FDIC\'s evolution to E-government.\n\n\n\n\n                                                 8\n\x0c                                          APPENDIX I\n                                    CORPORATION COMMENTS\n\n\n\n\nThe Division of Information Resources Management (DIRM) has reviewed the subject draft\naudit report and generally agrees with the findings and recommendations. As a general comment,\nit appears that the report links Public Key Infrastructure (PKI) closely with the implementation\nof the Government Paperwork Elimination Act (GPEA). We would like to note that GPEA does\nnot mandate that one particular form of electronic signature be used for E-government. The\n"OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act"\ndescribes a spectrum of currently available electronic signature technologies, such as: PIN or\npassword, smart card, digitized signature, biometrics, shared symmetric key cryptography, and\npublic/private key cryptography (digital signatures). As the FDIC moves forward with our E-\ngovernment activities, we will take advantage of the most appropriate technologies to meet our\nbusiness requirements.\n\nThe management decision for each specific recommendation is provided below.\n\nRecommendations : The DIRM Director, and CIO should continue to ensure that:\n(1) All documents required for a NIST-compliant PKI are developed using NIST standards and\n    GAO guidelines.\n    DIRM Response: DIRM agrees with the OIG recommendation and will continue to\n    enhance its efforts to develop a fully documented PKI that meets GAO and NIST guidelines.\n    All documentation supporting this effort will be developed using NIST standards and GAO\n    guidelines. DIRM will also continue to ensure the involvement of the OIG in the review and\n    comment of the PKI program and technical documentation.\n(2) PKI development personnel adhere to the established milestones for completing the\n    development and implementing the FDIC\xe2\x80\x99s PKI.\n    DIRM Response: DIRM agrees with the recommendation and will continue to work closely\n    with the OIG to complete the development and implementation of the FDIC\xe2\x80\x99s PKI and\n\n\n                                               9\n\x0c    ultimately GAO PKI sanctioning. The Information Security Staff updated its PKI project\n    plan in February, 2001 and established new milestones for completing the Entrust update of\n    Version 4 on the network servers, review of the certificate policy and development of a PKI\n    application program interface. To ensure the best possible adherence to the current project\n    milestones, the Deputy Director, Information Technology Management has established a\n    biweekly status meeting with the DIRM PKI project team. The status of all outstanding PKI\n    related milestones will be reviewed at each meeting beginning in March 2001.\n\nRecommendation: The DIRM Director, and CIO should:\n\n(3) Coordinate with other FDIC divisions and offices to develop an E-government\n    implementation plan that uses OMB\'s guidelines on the implementation of GPEA. The plan\n    should (a) determine the impact that E-government will have on the Corporation\'s IT\n    investment policy, system architecture, security and privacy, record keeping, and needed\n    expertise and training; (b) evaluate all existing and planned applications and develop a\n    business case for each application as to what method of security, including the use electronic\n    signature technology is required for the transition to E-government; and (c) identify the\n    initial application that will avail itself of the new PKI technology, and (d) ensure that\n    security personnel are involved in the earliest stages of application planning for the transition\n    to E- government.\n\n    DIRM Response:\n\n    The FDIC is initially addressing many aspects of E-government implementation as part of\n    the FDICconnect initiative. DIRM has issued a Request For Proposals for a contract to\n    develop an e-business strategy and plan. Responses for this RFP are due 3/23/2001. The e-\n    business plan that will result from this contract will address many of the components\n    identified in this recommendation. We currently anticipate that the draft strategy and plan\n    will be completed by 6/30/2001 and the final version completed by12/31/2001. Specifically,\n\n   a) Corporate IT Investment Policy - There is an objective to establish a plan for developing\n      requirements for transforming business processes and developing business cases to\n      exploit e-business opportunities. The project will also develop e-business goals and\n      objectives and ensure that they can be integrated with corporate strategic goals which\n      drive DIRM\'s IT investment policy. The contract will include the analysis of alternatives\n      for the e-business technical architecture including a cost-benefit analysis.\n\n       System Architecture - The contract calls for the definition and refinement of the e-\n       business technological and security architecture emphasizing integration into FDIC\'s\n       system architecture. The effort will require the analysis of any gaps between the current\n\n\n\n\n                                                 10\n\x0c   technical architecture and the FDIC e-business vision and require the development of\n   strategic actions to achieve the FDIC target technical environment.\n\n   Security and Privacy - In support of the E-Business Technical Architecture Team, the\n   contract will include an analysis of the current e-business security architecture and the\n   development of recommendations for the target e-business architecture including\n   security. The contract calls for ensuring that e-business initiatives are consistent with the\n   Security Policy Memo 98-012, \xe2\x80\x9cFDIC Encryption/Digital Signature and Public Key\n   Infrastructure Standard\xe2\x80\x9d.\n\n   Record Keeping - As part of the e-business strategy, the contract calls for ensuring that e-\n   business initiatives are consistent with the Government Paperwork Elimination Act and\n   the Electronic Signature Act.\n\n   Needed Expertise and Training - While specific education and training activities will be\n   addressed in subsequent contract initiatives, this contract will evaluate marketing and\n   awareness activities related to the current FDICconnect project and identify lessons\n   learned and best practices for future e-business implementations.\n\nb) The development of the corporate e-business strategy will address the necessary OMB\n   guidelines on the implementation of GPEA. As part of the development of this strategy,\n   one of DIRM\xe2\x80\x99s goals is to develop an architectural approach that addresses security\n   issues, including electronic signatures. This strategy may be customer focused - for\n   example, all transactions associated with institutions will use the FDICconnect platform.\n   Once established, such a strategy will lead to the development of business cases and the\n   evaluation of applications. As noted earlier, GPEA does not mandate that one particular\n   form of electronic signature be used for E-government. There is a spectrum of currently\n   available electronic signature technologies, such as: PIN or password, smart card,\n   digitized signature, biometrics, shared symmetric key cryptography, and public/private\n   key cryptography (digital signatures) that are legitimate solutions in the proper context.\n   As the FDIC moves forward with our E-government activities, we will take advantage of\n   the most appropriate technologies to meet our business requirements. Currently with\n   FDICconnect, DIRM is working with Legal to determine the appropriate level of\n   electronic signature required on a transaction by transaction basis. For example, for the\n   first transaction that DIRM obtained legal consultation, Legal opined that the user\n   id/password combination and the security model provided by FDICconnect were\n   adequate in constituting a valid electronic signature for the DOF Assessment Payment\n   Options form.\n\nc) Once completed, the e-business plan will include the identification of the initial\n   application that will utilize PKI technology.\n\n\n\n\n                                             11\n\x0c   d) DIRM will ensure that security personnel are involved in the earliest stages of application\n      planning for the FDIC\xe2\x80\x99s transition to E-government. For example, under the\n      FDICconnect initiative, a security plan is being established as part of the pilot effort. The\n      FDICconnect team has worked with the Information Security Staff (ISS) as follows:\n\n       \xe2\x80\xa2      Copy of the functional requirements document for FDICconnect general security\n              system reviewed by ISS;\n\n       \xe2\x80\xa2      Primary Point-Of-Contact appointed from security;\n\n       \xe2\x80\xa2      ISS participated in the review of and recommendation of the technical\n              architecture for the FDICconnect pilot;\n\n       \xe2\x80\xa2      Worked with ISS on how the FDICconnect servers would be connected to FDIC\n              network;\n\n       \xe2\x80\xa2      Consulted with ISS on firewall issues. Continue to work with ISS on a solution\n              for data transfer through the firewall;\n\n       \xe2\x80\xa2      Consulted with ISS on \xe2\x80\x9ctiming delay\xe2\x80\x9d issues between IIS and NT;\n\n       \xe2\x80\xa2      ISS participated in the issuance of server certificates for FDICconnect;\n\n       \xe2\x80\xa2      FDICconnect team members attended a demonstration from ISS on the certificate\n              process. The team continues to discuss client certificates and the potential for\n              their use in FDICconnect;\n\n       \xe2\x80\xa2      ISS performed a "sweep" of the FDICconnect servers for technical infrastructure.\n\n       \xe2\x80\xa2      Working with ISS to develop sensitivity assessment questionnaires for each\n              individual transaction; and\n\n       \xe2\x80\xa2      ISS will participate in FDICconnect testing.\n\n\nPlease address any questions to DIRM\'s Audit Liaison, Rack Campbell, on (703) 516-1422.\n\n\n\n\n                                               12\n\x0c                                                                                                                                 APPENDIX II\n                                        MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its\nsemiannual reports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance,\nseveral conditions are necessary. First, the response must describe for each recommendation\n\n   \xc2\xa7 the specific corrective actions already taken, if applicable;\n   \xc2\xa7 corrective actions to be taken together with the expected completion dates for their implementation; and\n   \xc2\xa7 documentation that will confirm completion of corrective actions.\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons\nfor any disagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation\nconfirming completion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions.\nThe information for management decisions is based on management\xe2\x80\x99s written response to our report.\n                                                                                    Documentation That                    Management\n Rec.                                                            Expected              Will Confirm            Monetary   Decision: Yes\nNumber       Corrective Action: Taken or Planned/Status       Completion Date          Final Action            Benefits      or No\n           DIRM will continue to ensure that all PKI\n                                                                                   Management\'s response\n   1       documents follow NIST standards and GAO             March 19, 2001                                    N/A          Yes\n                                                                                     to the audit report.\n           guidelines.\n           DIRM will continue to ensure that PKI\n                                                                                   Management\'s response\n   2       development personnel adhere to established         March 19, 2001                                    N/A          Yes\n                                                                                     to the audit report.\n           milestones for completing PKI development.\n                                                                                     E-business plan that\n           DIRM will coordinate with other FDIC divisions                           contains the objectives\n   3       and offices to develop an E-government            December 31, 2001     and goals as described in     N/A          Yes\n           implementation plan.                                                    management\'s response\n                                                                                      to the audit report.\n\n\n                                                                      13\n\x0c'